Hi all, thanks for reply. I have tested with pike module. It is very simple.
------ modparam("pike", "sampling_time_unit", 3) modparam("pike", "reqs_density_per_unit", 20) if (method = 'REGISTER | OPTION | BYE') { if (!pike_check_req()) { #TODO: do anything if you want drop(); exit; } } ------ I tested with sipvicious, about 5 second pike detect flood => drop packet or send 200 OK for register (svcrash.py will stop). You can be blook flooding with any method. best regards, Nguyen Hung. On 11/3/10, Flavio Goncalves <fla...@asteriskguide.com> wrote: > Hi Kennard, > > The best way to detect is to use the return codes from the functions > www_authorize and proxy_authorize. You can monitor the number of > invalid authentications. I'm saving the number of invalid > authentications in a cache variable using cache_store() for each > specific IP (invalid_$si cache variable). The list below is from a > previous post made by Bogdan of www_authorize return codes. The return > codes -1 and -2 indicates an attack (or a user setting the wrong > password). The cache variables last for a specific period of time, so > you can use this to block the user for 15 minutes, usually enough to > stop the attacker and allow a new try from a legitimate user. > > if (!www_authorize("", "subscriber")) { > $var(reg) = $retcode; > if ($var(reg) < 0) { > xlog("L_INFO","$var(reg)"); > switch ($retcode) > { > case -5: > xlog("L_INFO","Error"); > break; > case -4: > xlog("L_INFO","Please send new Register with auth > info"); > www_challenge("", "0"); > exit; > case -2: > xlog("L_INFO","Wrong password"); > break; > case -1: > xlog("L_INFO","User doesnt exist"); > break; > default: > xlog("L_INFO","Default"); > } > sl_send_reply("403","Forbidden"); > exit; > } > } > > > > > -------------------------------------------------- > Flavio E. Goncalves > CEO - V.Office > Fone: +554830258590/+554884085000 > OpenSIPS Bootcamp (Frankfurt Sep 20-24) > > > > > 2010/11/3 Kennard White <kennard_wh...@logitech.com>: >> Hi Flavio, >> >> How did you originally detect these register attacks? Are you using the >> pike >> module or notice them some other way? >> >> Thanks, >> Kennard >> >> On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves >> <fla...@asteriskguide.com> >> wrote: >>> >>> Hi, >>> >>> Register attacks are now an epidemy. In most cases they are using the >>> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to >>> block is to check the user agent for the words "friendly-scanner"and >>> drop the packets (an attacker could easily change the user agent, but >>> most of them are just script kiddies). There is a good tutorial in the >>> opensips website on how to use fail2ban to block the IP address of the >>> offenders (I think this is the best long term solution). >>> >>> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010 >>> by the user named aseques) >>> >>> In some cases, when the attacker uses an old version of svcrack.py it >>> floods your server. I have received four gigs of traffic in a single >>> day from just one source. There is a small utility from sipvicious.org >>> called svcrash.py capable to crash the attacker sending a malformed >>> packet. >>> >>> I hope it helps, it has been a pain to handle these attacks everyday. >>> In a normal day we are receiving from 4 to 8 attacks from different >>> sources. >>> >>> Best regards, >>> >>> -------------------------------------------------- >>> Flavio E. Goncalves >>> CEO - V.Office >>> Fone: +554830258590/+554884085000 >>> OpenSIPS Bootcamp (Frankfurt Sep 20-24) >>> >>> >>> >>> >>> 2010/11/2 Hung Nguyen <hungbk...@gmail.com>: >>> > Hi every body! >>> > >>> > I have a problem with attacker as following: >>> > >>> > >>> > attack registrar >>> > >>> > register -------------> >>> > register -------------> >>> > ... >>> > register -------------> >>> > >>> > >>> > Attacker send 200 registers/second so registrar server is error. This >>> > is configuration for register method: >>> > >>> > route[2] { >>> > >>> > # ---------------------------------------------------------- >>> > # REGISTER Message Handler >>> > # ---------------------------------------------------------- >>> > >>> > if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) { >>> > setflag(6); >>> > fix_nated_register(); >>> > fix_nated_contact(); >>> > force_rport(); >>> > }; >>> > >>> > if (!radius_www_authorize("abc.com")) { >>> > www_challenge("abc.com", "0"); >>> > exit; >>> > }; >>> > consume_credentials(); >>> > >>> > if (!save("location")) { >>> > sl_reply_error(); >>> > }; >>> > } >>> > >>> > Please help me, >>> > >>> > Thanks. >>> > >>> > Hung >>> > >>> > _______________________________________________ >>> > Users mailing list >>> > Users@lists.opensips.org >>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> > >>> >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opensips.org >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users